From c0b4a735d7ad173f47aa534a48c1cb273e4d36f1 Mon Sep 17 00:00:00 2001 From: Jackie Wellons Date: Thu, 31 Jul 2025 17:23:59 -0500 Subject: [PATCH 01/56] Hardware Testing Methodology --- methodologies/hardware_testing.json | 192 ++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 methodologies/hardware_testing.json diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json new file mode 100644 index 0000000..849facc --- /dev/null +++ b/methodologies/hardware_testing.json @@ -0,0 +1,192 @@ +{ + "metadata": { + "title": "Hardware", + "release_date": "", + "description": "Bugcrowd Hardware Testing Methodology", + "vrt_version": "" + }, + "content": { + "steps": [ + { + "key": "passive_recon", + "title": "Passive Recon", + "description": "Information gathering before turning off or opening the device", + "type": "checklist", + "items": + [ + { + "key": "open_source_intelligence", + "title": "Open Source Intelligence", + "description": "Gathering information using search engines to find publicly available information about the device", + "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, right.com.cn, codechine.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", + "vrt_category": "sensitive_data_exposure" + }, + { + "key": "network_scanning", + "title": "Network Scanning", + "description": "Scan the network for devices to find the one being tested, identify wirelss protocols in use", + "tools": "NMAP, Wireshark, tcpdump" + }, + { + "key": "rf_scanning", + "title": "Radio Frequency Scanning", + "description": "Identify any radio communitcations, frequencies, modulation the device might be using, identify wirelss protocols in use", + "tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers", + "type": "checklist", + "items": [ + { + "key": "bluetooth_ble", + "title": "Bluetooth and BLE", + "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sentisitve information being trasnmitted in plaintext", + "tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)" + }, + { + "key": "zigbee_lora", + "title": "ZigBee ", + "Description":"Try to sniff the communication, can you capture the encryption key exchange (during active recon see if it's hardcoded on the device), can the communication be decrypted, are replay attacks possible", + "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software" + }, + { + "key": "near_field_communication", + "title": "NFC Testing", + "description": "For card readers like access control locks and credit cards, can also be used in mobile testing. Try to read the information on the card, is it encrypted, can it be decrypted, can you forge a request, does the reader allow you to write to it so it will accept forged messages", + "tools": "flipper (base model is limited, additional hardware can be installed), Proxmark" + } + ] + }, + + ] + }, + { + "key": "Active Recon", + "title": "Active Recon", + "description": "Opening up, sniffing, and probing the device under test (DUT)", + "type": "checklist", + "items": [ + { + "key": "opening_device", + "title": "Opening up the Device Under Test", + "description": "Open of the device to identify the various component and find data sheets online for the vairous compnents, map out PCB, find open ports (UART, JTAG)", + "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscillscope, magnifying glass, logic analyser", + "type": "checklist", + "items": + [ + { + "key": "visual_component_identification", + "title": "Visual Component Identification", + "description": "Using a magnifying glass id the various compnents on the PCB in the device, determine what they do and how they connect together, look up datasheets for important compents online and read through them", + "tools": "magnifying glass, Search Engines" + }, + { + "key": "measure_voltage_resistance_continuity", + "title": "Measuring Voltage, Resistance, and Continuity", + "description": "Using a multimeter id GND, Vcc, N/C, Pull-Up resistors to help map out the board verify the different pins identified in the datasheets, and enumerate debug ports", + "tools": "multimeter" + }, + { + "key": "id_debug_ports", + "title": "ID Debug Ports", + "description": "Determine which debug protocls are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", + "tools": "multimeter, logic analyser, oscillscope, soldering iron" + }, + ] + } + ] + }, + { + "key": "dump_download_firmware", + "title": "Dump or Download Firmware for Analysis", + "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", + "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" + }, + { + "key":"firmware_analsys", + "title":"Firmware Analysis", + "description":"Reverse engineering the dumped firmware. ID encryption if used and try to decrypt it. Use emulation software to help analyse it. Analyse and search the firmware to hardcoded passwords/keys and other sensitive information.", + "tools":"binwalk, QEMU, Ghidra, binwally, grep, strings, hexdump, readelf" + }, + { + "key":"testing_device", + "title":"Testing the Device", + "description":"Using all of the information gathered start testing the device for security vulnerabilities.", + "type":"checklist", + "items":[ + { + "key":"replay_attacks", + "title":"Replay Attacks", + "decsription":"Using the sniffed traffic can you replay the messages sent to the device, will the device accept modified requests, can you make changes to the configuration. Device is sing unencrypted communication.", + "tools":"wireshart, hackRF, python" + }, + { + "key":"shared_resources", + "title":"Improper Isolation of Shared Resources", + "decsription":"A SOC may use pin multiplexing allowing an untrsuted agent to access assets/info intended to trusted agents only", + "CWE":"CWE-1189" + }, + { + "key":"bac_on_chip_debugger", + "title":"Broken Access Control for On-Chip Debugger", + "decsription":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access across during different boot stages.", + "CWE":"CWE-1191 and CWE-1244", + "tools":"jtagulator" + }, + { + "key":"improper_lock_bit_protection", + "title":"Improer Lock Bit Protection", + "decsription":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", + "CWE":"CWE-1231 and CWE-1233", + }, + { + "key":"cryptographic_implemenation", + "title":"Cryptographic Implemtation", + "decsription":"Assess if the cryprogrphic algorithm in use is non-standard or a disallowed/non-compliant version.", + "CWE":"CWE-1240", + }, + { + "key": "fault_injection_and_side_channel_attacks", + "title": "Fault Injection and Side Channel Attacks", + "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authenitcation, privlege escalation, and side channel attacks.", + "CWE":"CWE-1256 and CWE-1300", + "tools": "chipwhisperer, oscillscope, pcb workstation with nano probes" + }, + { + "key":"memory_overlap", + "title":"Improper Handling of Memory Overlap", + "description":"Assess if isolated memory regions and access conrol policies allow software with low privilges to make changes to overlapping memory also used by software running with higher privilges.", + "CWE":"CWE-1260" + }, + { + "key":"clearing_memory_during_state_transition", + "title":"Sensitive Information Uncleard Before State Transition", + "description":"Assess if sensitive inforamtion only needed for one state is cleared after transitiong to the next state, such as during boot or waking up from sleep mode.", + "CWE":"CWE-1272" + }, + { + "key":"volatile_memory_boot_code", + "title":"Improper Access Control for Volatile Memory for Boot Code", + "description":"Assess if the secure boot process can be bypassed to execute untrusted malicious boot code", + "CWE":"CWE-1274" + }, + { + "key":"firmware_not_updating", + "title":"Firmware Not Getting Updates", + "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.", + "CWE":"CWE-1277" + }, + ] + }, + { + "key": "upload_logs", + "title": "Upload logs", + "description": "This should include all associated traffic associated to the in-scope targets.", + "type": "large_upload" + }, + { + "key": "executive_summary", + "title": "Executive summary", + "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.", + "type": "executive_summary" + } + ] + } + } \ No newline at end of file From 10a71cb1c75ed9f772ff88d13c2e800315cc5f1e Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:46:05 +0530 Subject: [PATCH 02/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 849facc..1cb65fe 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -24,13 +24,13 @@ { "key": "network_scanning", "title": "Network Scanning", - "description": "Scan the network for devices to find the one being tested, identify wirelss protocols in use", + "description": "Scan the network for devices to find the one being tested, identify wireless protocols in use", "tools": "NMAP, Wireshark, tcpdump" }, { "key": "rf_scanning", "title": "Radio Frequency Scanning", - "description": "Identify any radio communitcations, frequencies, modulation the device might be using, identify wirelss protocols in use", + "description": "Identify any radio communitcations, frequencies, modulation the device might be using, identify wireless protocols in use", "tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers", "type": "checklist", "items": [ From 9763ea39b769fdb63457573d5af70aef136b4725 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 10:47:29 +0530 Subject: [PATCH 03/56] typo --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 1cb65fe..16f8f97 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -30,7 +30,7 @@ { "key": "rf_scanning", "title": "Radio Frequency Scanning", - "description": "Identify any radio communitcations, frequencies, modulation the device might be using, identify wireless protocols in use", + "description": "Identify any radio communications, frequencies, modulation the device might be using, identify wireless protocols in use", "tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers", "type": "checklist", "items": [ From 1acfd9119c6e190a6b454c95c0cf8a1dabfb835f Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:49:10 +0530 Subject: [PATCH 04/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 16f8f97..bc458ed 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -66,7 +66,7 @@ { "key": "opening_device", "title": "Opening up the Device Under Test", - "description": "Open of the device to identify the various component and find data sheets online for the vairous compnents, map out PCB, find open ports (UART, JTAG)", + "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG)", "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscillscope, magnifying glass, logic analyser", "type": "checklist", "items": From 58c0de7af39594aaf65e36f3228b03c417099534 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 10:51:02 +0530 Subject: [PATCH 05/56] typo --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index bc458ed..6a61312 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -37,7 +37,7 @@ { "key": "bluetooth_ble", "title": "Bluetooth and BLE", - "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sentisitve information being trasnmitted in plaintext", + "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext", "tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)" }, { From 793fd7480b4036ced140a7808de4bc6ea4539be7 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:51:59 +0530 Subject: [PATCH 06/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 6a61312..91e25bf 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -74,7 +74,7 @@ { "key": "visual_component_identification", "title": "Visual Component Identification", - "description": "Using a magnifying glass id the various compnents on the PCB in the device, determine what they do and how they connect together, look up datasheets for important compents online and read through them", + "description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them", "tools": "magnifying glass, Search Engines" }, { From 7838a4404cab07be74b5716644460c2e33feba2b Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:52:21 +0530 Subject: [PATCH 07/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 91e25bf..d7205bd 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -80,7 +80,7 @@ { "key": "measure_voltage_resistance_continuity", "title": "Measuring Voltage, Resistance, and Continuity", - "description": "Using a multimeter id GND, Vcc, N/C, Pull-Up resistors to help map out the board verify the different pins identified in the datasheets, and enumerate debug ports", + "description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports", "tools": "multimeter" }, { From 5a92b4a765a69ac4c4de0e77554bc77b1d91193d Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:52:29 +0530 Subject: [PATCH 08/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index d7205bd..38ee3c5 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -139,7 +139,7 @@ { "key":"cryptographic_implemenation", "title":"Cryptographic Implemtation", - "decsription":"Assess if the cryprogrphic algorithm in use is non-standard or a disallowed/non-compliant version.", + "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", "CWE":"CWE-1240", }, { From 90639314d178138156e01d799ec381f933b16933 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:52:47 +0530 Subject: [PATCH 09/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 38ee3c5..77bb40a 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -86,7 +86,7 @@ { "key": "id_debug_ports", "title": "ID Debug Ports", - "description": "Determine which debug protocls are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", + "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", "tools": "multimeter, logic analyser, oscillscope, soldering iron" }, ] From 0629cf7dab7c3d5e78b934047bb44e2071667fad Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:53:23 +0530 Subject: [PATCH 10/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 77bb40a..f6df9d0 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -96,7 +96,7 @@ { "key": "dump_download_firmware", "title": "Dump or Download Firmware for Analysis", - "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", + "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" }, { From efd86bda5272dda0510655f01624a84efe38ac34 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:53:38 +0530 Subject: [PATCH 11/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index f6df9d0..6bd1193 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -100,7 +100,7 @@ "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" }, { - "key":"firmware_analsys", + "key":"firmware_analysis", "title":"Firmware Analysis", "description":"Reverse engineering the dumped firmware. ID encryption if used and try to decrypt it. Use emulation software to help analyse it. Analyse and search the firmware to hardcoded passwords/keys and other sensitive information.", "tools":"binwalk, QEMU, Ghidra, binwally, grep, strings, hexdump, readelf" From 8ff974b5d9e3122e941f9413dc3dec38fa7877a6 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:54:20 +0530 Subject: [PATCH 12/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 6bd1193..e1be569 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -115,7 +115,7 @@ "key":"replay_attacks", "title":"Replay Attacks", "decsription":"Using the sniffed traffic can you replay the messages sent to the device, will the device accept modified requests, can you make changes to the configuration. Device is sing unencrypted communication.", - "tools":"wireshart, hackRF, python" + "tools":"Wireshark, hackRF, python" }, { "key":"shared_resources", From 7e211cd03edba25205c2ea1c1398d13305c8d1cf Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:54:40 +0530 Subject: [PATCH 13/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index e1be569..3cad4ac 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -158,7 +158,7 @@ { "key":"clearing_memory_during_state_transition", "title":"Sensitive Information Uncleard Before State Transition", - "description":"Assess if sensitive inforamtion only needed for one state is cleared after transitiong to the next state, such as during boot or waking up from sleep mode.", + "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", "CWE":"CWE-1272" }, { From 64b04fbe9ca7b6aee9f6405ad3470dd17710a213 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:54:56 +0530 Subject: [PATCH 14/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 3cad4ac..10e0ab8 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -157,7 +157,7 @@ }, { "key":"clearing_memory_during_state_transition", - "title":"Sensitive Information Uncleard Before State Transition", + "title":"Sensitive Information Uncleared Before State Transition", "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", "CWE":"CWE-1272" }, From 6eca700702d5aff1d38829d5e9950058702549a7 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:55:39 +0530 Subject: [PATCH 15/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 10e0ab8..4532695 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -152,7 +152,7 @@ { "key":"memory_overlap", "title":"Improper Handling of Memory Overlap", - "description":"Assess if isolated memory regions and access conrol policies allow software with low privilges to make changes to overlapping memory also used by software running with higher privilges.", + "description":"Assess if isolated memory regions and access control policies allow software with low privileges to make changes to overlapping memory also used by software running with higher privileges.", "CWE":"CWE-1260" }, { From 616270ac439d0d20d2e93be072a4975093599031 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:55:55 +0530 Subject: [PATCH 16/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 4532695..c2ee6ea 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -145,7 +145,7 @@ { "key": "fault_injection_and_side_channel_attacks", "title": "Fault Injection and Side Channel Attacks", - "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authenitcation, privlege escalation, and side channel attacks.", + "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authentication, privilege escalation, and side channel attacks.", "CWE":"CWE-1256 and CWE-1300", "tools": "chipwhisperer, oscillscope, pcb workstation with nano probes" }, From c51ed5ce379ffec29f86aac5b58afc98814d03f7 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:56:19 +0530 Subject: [PATCH 17/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index c2ee6ea..c8017dc 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -120,7 +120,7 @@ { "key":"shared_resources", "title":"Improper Isolation of Shared Resources", - "decsription":"A SOC may use pin multiplexing allowing an untrsuted agent to access assets/info intended to trusted agents only", + "description":"A SOC may use pin multiplexing allowing an untrusted agent to access assets/info intended to trusted agents only", "CWE":"CWE-1189" }, { From 8a81fd94d68c8055605b1de0f31793568e357f7e Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:56:41 +0530 Subject: [PATCH 18/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index c8017dc..a2eb6fc 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -132,7 +132,7 @@ }, { "key":"improper_lock_bit_protection", - "title":"Improer Lock Bit Protection", + "title":"Improper Lock Bit Protection", "decsription":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", "CWE":"CWE-1231 and CWE-1233", }, From f7c4c15cad02b72114b3c3f39c58bf75949698d6 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:57:05 +0530 Subject: [PATCH 19/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index a2eb6fc..9579d47 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -138,7 +138,7 @@ }, { "key":"cryptographic_implemenation", - "title":"Cryptographic Implemtation", + "title":"Cryptographic Implementation", "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", "CWE":"CWE-1240", }, From 21d7987a582c4ee19cb42fee7187268a7a270184 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 11:17:17 +0530 Subject: [PATCH 20/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 9579d47..9a2f91e 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -42,7 +42,7 @@ }, { "key": "zigbee_lora", - "title": "ZigBee ", + "title": "ZigBee", "Description":"Try to sniff the communication, can you capture the encryption key exchange (during active recon see if it's hardcoded on the device), can the communication be decrypted, are replay attacks possible", "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software" }, From 34cae49823ebec50e488fd4973038f0e347ec6a3 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 11:20:40 +0530 Subject: [PATCH 21/56] build --- methodologies/hardware_testing.json | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 9a2f91e..48c1709 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -53,8 +53,7 @@ "tools": "flipper (base model is limited, additional hardware can be installed), Proxmark" } ] - }, - + } ] }, { @@ -88,7 +87,7 @@ "title": "ID Debug Ports", "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", "tools": "multimeter, logic analyser, oscillscope, soldering iron" - }, + } ] } ] @@ -134,13 +133,13 @@ "key":"improper_lock_bit_protection", "title":"Improper Lock Bit Protection", "decsription":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", - "CWE":"CWE-1231 and CWE-1233", + "CWE":"CWE-1231 and CWE-1233" }, { "key":"cryptographic_implemenation", "title":"Cryptographic Implementation", "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", - "CWE":"CWE-1240", + "CWE":"CWE-1240" }, { "key": "fault_injection_and_side_channel_attacks", @@ -172,7 +171,7 @@ "title":"Firmware Not Getting Updates", "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.", "CWE":"CWE-1277" - }, + } ] }, { From cd3c124e9399d4ffe547f5e256dc1562a3ca82a8 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 11:21:25 +0530 Subject: [PATCH 22/56] typo --- methodologies/hardware_testing.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 48c1709..d0e70f5 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -113,7 +113,7 @@ { "key":"replay_attacks", "title":"Replay Attacks", - "decsription":"Using the sniffed traffic can you replay the messages sent to the device, will the device accept modified requests, can you make changes to the configuration. Device is sing unencrypted communication.", + "description":"Using the sniffed traffic can you replay the messages sent to the device, will the device accept modified requests, can you make changes to the configuration. Device is using unencrypted communication.", "tools":"Wireshark, hackRF, python" }, { @@ -125,15 +125,15 @@ { "key":"bac_on_chip_debugger", "title":"Broken Access Control for On-Chip Debugger", - "decsription":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access across during different boot stages.", + "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access across during different boot stages.", "CWE":"CWE-1191 and CWE-1244", "tools":"jtagulator" }, { "key":"improper_lock_bit_protection", "title":"Improper Lock Bit Protection", - "decsription":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", - "CWE":"CWE-1231 and CWE-1233" + "description":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", + "CWE":"CWE-1231 and CWE-1233" }, { "key":"cryptographic_implemenation", From 99ba8789651d89bfba0d275db46deec7f71c06a2 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 11:28:50 +0530 Subject: [PATCH 23/56] added vrt version --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index d0e70f5..0048e91 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -3,7 +3,7 @@ "title": "Hardware", "release_date": "", "description": "Bugcrowd Hardware Testing Methodology", - "vrt_version": "" + "vrt_version": "1.17" }, "content": { "steps": [ From ca66a4fc77458ec00a54126096edccbec863f929 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 11:36:53 +0530 Subject: [PATCH 24/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 0048e91..f3ccbdd 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -136,7 +136,7 @@ "CWE":"CWE-1231 and CWE-1233" }, { - "key":"cryptographic_implemenation", + "key":"cryptographic_implementation", "title":"Cryptographic Implementation", "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", "CWE":"CWE-1240" From ac7fc4f130a20ba85961eb0c73a19ee24393e160 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 11:37:23 +0530 Subject: [PATCH 25/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index f3ccbdd..7e2f3ea 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -102,7 +102,7 @@ "key":"firmware_analysis", "title":"Firmware Analysis", "description":"Reverse engineering the dumped firmware. ID encryption if used and try to decrypt it. Use emulation software to help analyse it. Analyse and search the firmware to hardcoded passwords/keys and other sensitive information.", - "tools":"binwalk, QEMU, Ghidra, binwally, grep, strings, hexdump, readelf" + "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" }, { "key":"testing_device", From abae89e4cbfe38abda42c942fec34e024e8582af Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 11:38:01 +0530 Subject: [PATCH 26/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 7e2f3ea..7f7fc92 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -125,7 +125,7 @@ { "key":"bac_on_chip_debugger", "title":"Broken Access Control for On-Chip Debugger", - "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access across during different boot stages.", + "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.", "CWE":"CWE-1191 and CWE-1244", "tools":"jtagulator" }, From ad4f3c36217d7779decc9abad32c9518092dfdf1 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 11:43:40 +0530 Subject: [PATCH 27/56] typo --- methodologies/hardware_testing.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 7f7fc92..c8ec390 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -66,7 +66,7 @@ "key": "opening_device", "title": "Opening up the Device Under Test", "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG)", - "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscillscope, magnifying glass, logic analyser", + "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscilloscope, magnifying glass, logic analyzer", "type": "checklist", "items": [ @@ -86,7 +86,7 @@ "key": "id_debug_ports", "title": "ID Debug Ports", "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", - "tools": "multimeter, logic analyser, oscillscope, soldering iron" + "tools": "multimeter, logic analyzer, oscilloscope, soldering iron" } ] } @@ -146,7 +146,7 @@ "title": "Fault Injection and Side Channel Attacks", "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authentication, privilege escalation, and side channel attacks.", "CWE":"CWE-1256 and CWE-1300", - "tools": "chipwhisperer, oscillscope, pcb workstation with nano probes" + "tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes" }, { "key":"memory_overlap", From 1ea80d8a116922b7518f50fe7c41707f2d456bca Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 12:51:15 +0530 Subject: [PATCH 28/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index c8ec390..25a483c 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -43,7 +43,7 @@ { "key": "zigbee_lora", "title": "ZigBee", - "Description":"Try to sniff the communication, can you capture the encryption key exchange (during active recon see if it's hardcoded on the device), can the communication be decrypted, are replay attacks possible", + "description":"Try to sniff the communication, can you capture the encryption key exchange (during active recon see if it's hardcoded on the device), can the communication be decrypted, are replay attacks possible", "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software" }, { From a8437b1eb00d1e31e38e983f4fdd32d42d17d685 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 12:58:19 +0530 Subject: [PATCH 29/56] add tool for open source intelligence --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 25a483c..8c03b42 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -18,7 +18,7 @@ "key": "open_source_intelligence", "title": "Open Source Intelligence", "description": "Gathering information using search engines to find publicly available information about the device", - "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, right.com.cn, codechine.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", + "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechine.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", "vrt_category": "sensitive_data_exposure" }, { From c92f7125234fd646016ab90b26cbabf55251e762 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 13:00:52 +0530 Subject: [PATCH 30/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 8c03b42..98dd9b4 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -145,7 +145,7 @@ "key": "fault_injection_and_side_channel_attacks", "title": "Fault Injection and Side Channel Attacks", "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authentication, privilege escalation, and side channel attacks.", - "CWE":"CWE-1256 and CWE-1300", + "CWE": ["CWE-1256", "CWE-1300"], "tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes" }, { From 52ef396bddc1fa976f3d1667335d8e5819de25d3 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 13:01:04 +0530 Subject: [PATCH 31/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 98dd9b4..f87af0e 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -126,7 +126,7 @@ "key":"bac_on_chip_debugger", "title":"Broken Access Control for On-Chip Debugger", "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.", - "CWE":"CWE-1191 and CWE-1244", + "CWE": ["CWE-1191", "CWE-1244"], "tools":"jtagulator" }, { From c15770a3cb775de6071b0c019ac348be899f6081 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 13:03:12 +0530 Subject: [PATCH 32/56] typo --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index f87af0e..bbedfeb 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -18,7 +18,7 @@ "key": "open_source_intelligence", "title": "Open Source Intelligence", "description": "Gathering information using search engines to find publicly available information about the device", - "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechine.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", + "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", "vrt_category": "sensitive_data_exposure" }, { From 611dc003a049559d7f5716a4f13079a9b4d0d0ed Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 13:08:46 +0530 Subject: [PATCH 33/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index bbedfeb..df13a38 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -133,7 +133,7 @@ "key":"improper_lock_bit_protection", "title":"Improper Lock Bit Protection", "description":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", - "CWE":"CWE-1231 and CWE-1233" + "CWE": ["CWE-1231", "CWE-1233"] }, { "key":"cryptographic_implementation", From a3267cb50e925748163686309f2a5b0e9cbe831d Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 13:15:52 +0530 Subject: [PATCH 34/56] key fix --- lib/tests/__init__.py | 0 lib/tests/test_.py | 28 --------------- lib/tests/test_template_mapping.py | 55 ----------------------------- lib/utils/__init__.py | 0 lib/utils/utils.py | 14 -------- methodologies/hardware_testing.json | 2 +- 6 files changed, 1 insertion(+), 98 deletions(-) delete mode 100644 lib/tests/__init__.py delete mode 100644 lib/tests/test_.py delete mode 100644 lib/tests/test_template_mapping.py delete mode 100644 lib/utils/__init__.py delete mode 100644 lib/utils/utils.py diff --git a/lib/tests/__init__.py b/lib/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/lib/tests/test_.py b/lib/tests/test_.py deleted file mode 100644 index 503da6c..0000000 --- a/lib/tests/test_.py +++ /dev/null @@ -1,28 +0,0 @@ -from utils import utils -import unittest -import subprocess -import jsonschema -import glob -import os - -class TestMethodologies(unittest.TestCase): - def setUp(self): - self.methodologyFilenames = [] - for filename in glob.glob(utils.METHODOLOGIES_DIR + '/*.json'): - self.methodologyFilenames.append(filename) - - def validate_schema(self, schema_file, data_file): - print("validating ", data_file) - schema = utils.get_json(schema_file) - data = utils.get_json(data_file) - jsonschema.Draft7Validator.check_schema(schema) - error = jsonschema.exceptions.best_match(jsonschema.Draft7Validator(schema).iter_errors(data)) - if error: - raise error - - def test_schemas(self): - for methodologyFilename in self.methodologyFilenames: - self.validate_schema(utils.SCHEMA_FILENAME, methodologyFilename) - -if __name__ == '__main__': - unittest.main() diff --git a/lib/tests/test_template_mapping.py b/lib/tests/test_template_mapping.py deleted file mode 100644 index 21daeb6..0000000 --- a/lib/tests/test_template_mapping.py +++ /dev/null @@ -1,55 +0,0 @@ -from utils import utils -from tests.test_ import TestMethodologies -import os -import unittest -import requests - -class TestTemplateMapping(unittest.TestCase): - def setUp(self): - self.template_schema = os.path.join( - utils.MAPPING_DIR, - utils.TEMPLATE_SCHEMA - ) - self.template_filename = os.path.join( - utils.MAPPING_DIR, - utils.TEMPLATE_FILENAME - ) - - def test_mapping_schemas(self): - """ - Validate the mapping templates using template.schema.json - get the mapping data from templates.json - and validating the templates data - """ - TestMethodologies.validate_schema( - TestMethodologies, - self.template_schema, - self.template_filename - ) - - mapping = utils.get_json(self.template_filename) - - self.validate_mapping_data(mapping['content']) - - def validate_mapping_data(self, mapping): - for methodologyData in mapping: - self.check_template_exists(methodologyData['methodology'], methodologyData['children']) - - def check_template_exists(self, methodology, steps): - """ - Check a template mapping path from templates.json file - and check methodology template exists (or not) in template repository - if the template is not found, it will give an error for template missing - """ - print("validating methodology : %s" % methodology) - - for step in steps: - template_path = os.path.join('methodology', step['attribute'], methodology, step['template']) - template_url = utils.TEMPLATE_BASE_URL + template_path - response = requests.request("GET", template_url) - print("validating methodology step : %s" % step['key']) - - self.assertEqual(response.status_code, 200, 'Missing template file for %s mapping' % methodology) - -if __name__ == "__main__": - unittest.main() diff --git a/lib/utils/__init__.py b/lib/utils/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/lib/utils/utils.py b/lib/utils/utils.py deleted file mode 100644 index 2efa448..0000000 --- a/lib/utils/utils.py +++ /dev/null @@ -1,14 +0,0 @@ -import json -import git - -SCHEMA_FILENAME = 'schema.json' -METHODOLOGIES_DIR = 'methodologies' -MAPPING_DIR = 'mappings' -TEMPLATE_FILENAME = 'templates.json' -TEMPLATE_SCHEMA = 'templates.schema.json' -TEMPLATE_BASE_URL = 'https://github.com/bugcrowd/templates/tree/master/' - - -def get_json(filename): - with open(filename) as f: - return json.loads(f.read()) \ No newline at end of file diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index df13a38..0d3424a 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -57,7 +57,7 @@ ] }, { - "key": "Active Recon", + "key": "active_recon", "title": "Active Recon", "description": "Opening up, sniffing, and probing the device under test (DUT)", "type": "checklist", From 285dc28c2d008f18ecc8c26dacb58325dd0cd558 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:26:20 +0530 Subject: [PATCH 35/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 0d3424a..3f6ba96 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -101,7 +101,7 @@ { "key":"firmware_analysis", "title":"Firmware Analysis", - "description":"Reverse engineering the dumped firmware. ID encryption if used and try to decrypt it. Use emulation software to help analyse it. Analyse and search the firmware to hardcoded passwords/keys and other sensitive information.", + "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" }, { From d9ed92fc00e0d4b602b35380ceb003581467de27 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:42:28 +0530 Subject: [PATCH 36/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 3f6ba96..90369df 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -42,9 +42,9 @@ }, { "key": "zigbee_lora", - "title": "ZigBee", - "description":"Try to sniff the communication, can you capture the encryption key exchange (during active recon see if it's hardcoded on the device), can the communication be decrypted, are replay attacks possible", - "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software" + "title": "ZigBee and LoRa", + "description":"For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.", + "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software, Semtech LoRaWAN sniffer, TTN Packet Forwarder, SDR tools supporting LoRa (HackRF, LimeSDR, BladeRF), Universal Radio Hacker (URH)" }, { "key": "near_field_communication", From e605fdbbbcedf1f2bb594f366e23e6a0f2cfdb6a Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 18:58:22 +0530 Subject: [PATCH 37/56] added release date --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 90369df..3f6dbc2 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -1,7 +1,7 @@ { "metadata": { "title": "Hardware", - "release_date": "", + "release_date": "2025-08-29T00:00:00+00:00", "description": "Bugcrowd Hardware Testing Methodology", "vrt_version": "1.17" }, From 8be701610553708711ea1151e4d76769010f393d Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 19:35:12 +0530 Subject: [PATCH 38/56] format fix --- methodologies/hardware_testing.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 3f6dbc2..c3d0eef 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -18,7 +18,7 @@ "key": "open_source_intelligence", "title": "Open Source Intelligence", "description": "Gathering information using search engines to find publicly available information about the device", - "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", + "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", "vrt_category": "sensitive_data_exposure" }, { @@ -35,9 +35,9 @@ "type": "checklist", "items": [ { - "key": "bluetooth_ble", - "title": "Bluetooth and BLE", - "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext", + "key": "bluetooth_ble", + "title": "Bluetooth and BLE", + "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext", "tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)" }, { @@ -105,16 +105,16 @@ "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" }, { - "key":"testing_device", + "key":"testing_device", "title":"Testing the Device", "description":"Using all of the information gathered start testing the device for security vulnerabilities.", "type":"checklist", "items":[ { - "key":"replay_attacks", - "title":"Replay Attacks", - "description":"Using the sniffed traffic can you replay the messages sent to the device, will the device accept modified requests, can you make changes to the configuration. Device is using unencrypted communication.", - "tools":"Wireshark, hackRF, python" + "key":"replay_attacks", + "title":"Replay Attacks", + "description":"Using the sniffed traffic, determine if replay attacks are possible. Check if the device accepts modified requests and if you can make changes to the configuration. Verify if the device uses unencrypted communication.", + "tools":"Wireshark, hackRF, python" }, { "key":"shared_resources", From 25256f1a0b00b6a11c7c791e0309bc96a20fc489 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Fri, 29 Aug 2025 19:40:25 +0530 Subject: [PATCH 39/56] re add deleted files --- lib/tests/__init__.py | 0 lib/tests/test_.py | 28 +++++++++++++++ lib/tests/test_template_mapping.py | 55 ++++++++++++++++++++++++++++++ lib/utils/__init__.py | 0 lib/utils/utils.py | 14 ++++++++ 5 files changed, 97 insertions(+) create mode 100644 lib/tests/__init__.py create mode 100644 lib/tests/test_.py create mode 100644 lib/tests/test_template_mapping.py create mode 100644 lib/utils/__init__.py create mode 100644 lib/utils/utils.py diff --git a/lib/tests/__init__.py b/lib/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/lib/tests/test_.py b/lib/tests/test_.py new file mode 100644 index 0000000..503da6c --- /dev/null +++ b/lib/tests/test_.py @@ -0,0 +1,28 @@ +from utils import utils +import unittest +import subprocess +import jsonschema +import glob +import os + +class TestMethodologies(unittest.TestCase): + def setUp(self): + self.methodologyFilenames = [] + for filename in glob.glob(utils.METHODOLOGIES_DIR + '/*.json'): + self.methodologyFilenames.append(filename) + + def validate_schema(self, schema_file, data_file): + print("validating ", data_file) + schema = utils.get_json(schema_file) + data = utils.get_json(data_file) + jsonschema.Draft7Validator.check_schema(schema) + error = jsonschema.exceptions.best_match(jsonschema.Draft7Validator(schema).iter_errors(data)) + if error: + raise error + + def test_schemas(self): + for methodologyFilename in self.methodologyFilenames: + self.validate_schema(utils.SCHEMA_FILENAME, methodologyFilename) + +if __name__ == '__main__': + unittest.main() diff --git a/lib/tests/test_template_mapping.py b/lib/tests/test_template_mapping.py new file mode 100644 index 0000000..21daeb6 --- /dev/null +++ b/lib/tests/test_template_mapping.py @@ -0,0 +1,55 @@ +from utils import utils +from tests.test_ import TestMethodologies +import os +import unittest +import requests + +class TestTemplateMapping(unittest.TestCase): + def setUp(self): + self.template_schema = os.path.join( + utils.MAPPING_DIR, + utils.TEMPLATE_SCHEMA + ) + self.template_filename = os.path.join( + utils.MAPPING_DIR, + utils.TEMPLATE_FILENAME + ) + + def test_mapping_schemas(self): + """ + Validate the mapping templates using template.schema.json + get the mapping data from templates.json + and validating the templates data + """ + TestMethodologies.validate_schema( + TestMethodologies, + self.template_schema, + self.template_filename + ) + + mapping = utils.get_json(self.template_filename) + + self.validate_mapping_data(mapping['content']) + + def validate_mapping_data(self, mapping): + for methodologyData in mapping: + self.check_template_exists(methodologyData['methodology'], methodologyData['children']) + + def check_template_exists(self, methodology, steps): + """ + Check a template mapping path from templates.json file + and check methodology template exists (or not) in template repository + if the template is not found, it will give an error for template missing + """ + print("validating methodology : %s" % methodology) + + for step in steps: + template_path = os.path.join('methodology', step['attribute'], methodology, step['template']) + template_url = utils.TEMPLATE_BASE_URL + template_path + response = requests.request("GET", template_url) + print("validating methodology step : %s" % step['key']) + + self.assertEqual(response.status_code, 200, 'Missing template file for %s mapping' % methodology) + +if __name__ == "__main__": + unittest.main() diff --git a/lib/utils/__init__.py b/lib/utils/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/lib/utils/utils.py b/lib/utils/utils.py new file mode 100644 index 0000000..2efa448 --- /dev/null +++ b/lib/utils/utils.py @@ -0,0 +1,14 @@ +import json +import git + +SCHEMA_FILENAME = 'schema.json' +METHODOLOGIES_DIR = 'methodologies' +MAPPING_DIR = 'mappings' +TEMPLATE_FILENAME = 'templates.json' +TEMPLATE_SCHEMA = 'templates.schema.json' +TEMPLATE_BASE_URL = 'https://github.com/bugcrowd/templates/tree/master/' + + +def get_json(filename): + with open(filename) as f: + return json.loads(f.read()) \ No newline at end of file From ecd5f4d18f216daffdfab27989da022cc212095d Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Fri, 29 Aug 2025 19:49:15 +0530 Subject: [PATCH 40/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 39 ++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index c3d0eef..159e392 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -93,16 +93,25 @@ ] }, { - "key": "dump_download_firmware", - "title": "Dump or Download Firmware for Analysis", - "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", - "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" - }, - { - "key":"firmware_analysis", - "title":"Firmware Analysis", - "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", - "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" + "key": "firmware", + "title": "Accessing and Analysing Firmware", + "description": "Using info gathered during active and passive recon access and reverse engineer the firmware for the device.", + "type": "checklist", + "items": + [ + { + "key": "dump_download_firmware", + "title": "Dump or Download Firmware for Analysis", + "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", + "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" + }, + { + "key":"firmware_analysis", + "title":"Firmware Analysis", + "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", + "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" + }, + ] }, { "key":"testing_device", @@ -127,7 +136,7 @@ "title":"Broken Access Control for On-Chip Debugger", "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.", "CWE": ["CWE-1191", "CWE-1244"], - "tools":"jtagulator" + "tools":"jtagulator, SOIC-8 clip" }, { "key":"improper_lock_bit_protection", @@ -144,7 +153,7 @@ { "key": "fault_injection_and_side_channel_attacks", "title": "Fault Injection and Side Channel Attacks", - "description": "Test for fault injection attacks and Side Channel attacks that can be used to bypass security measures to dump the firmware, access sensitive information, to perform a code execution, skip authentication, privilege escalation, and side channel attacks.", + "description": "Test for fault injection and side channel attacks that can bypass security measures to dump firmware, access sensitive information, perform code execution, skip authentication, or escalate privileges.", "CWE": ["CWE-1256", "CWE-1300"], "tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes" }, @@ -171,6 +180,12 @@ "title":"Firmware Not Getting Updates", "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.", "CWE":"CWE-1277" + }, + { + "key":"root_shell", + "title":"Root Shell Access", + "description":"Try to gain root shell access on the device using an enabled communication protocol, i.e. telnet or ssh, or using an open debug port to interrupt the boot process.", + "tools":"SOIC-8 clip, Burp, Caido, Screen" } ] }, From c52f6058ec4a4934dee600f51a38683cc4b1530a Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Mon, 1 Sep 2025 18:57:39 +0530 Subject: [PATCH 41/56] fix --- methodologies/hardware_testing.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 159e392..74d4084 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -99,18 +99,18 @@ "type": "checklist", "items": [ - { - "key": "dump_download_firmware", - "title": "Dump or Download Firmware for Analysis", - "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", - "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" - }, - { - "key":"firmware_analysis", - "title":"Firmware Analysis", - "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", - "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" - }, + { + "key": "dump_download_firmware", + "title": "Dump or Download Firmware for Analysis", + "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", + "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" + }, + { + "key":"firmware_analysis", + "title":"Firmware Analysis", + "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", + "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" + } ] }, { From 2ea75e773206c96115c5c94e577bab813566ec9e Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 21:42:52 +0530 Subject: [PATCH 42/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 74d4084..c7ad392 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -43,7 +43,7 @@ { "key": "zigbee_lora", "title": "ZigBee and LoRa", - "description":"For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.", + "description": "For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.", "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software, Semtech LoRaWAN sniffer, TTN Packet Forwarder, SDR tools supporting LoRa (HackRF, LimeSDR, BladeRF), Universal Radio Hacker (URH)" }, { From 7b89ce8661b08b1e684fa54a10001a2ab2563b7d Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 21:45:07 +0530 Subject: [PATCH 43/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index c7ad392..59e958d 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -185,7 +185,7 @@ "key":"root_shell", "title":"Root Shell Access", "description":"Try to gain root shell access on the device using an enabled communication protocol, i.e. telnet or ssh, or using an open debug port to interrupt the boot process.", - "tools":"SOIC-8 clip, Burp, Caido, Screen" + "tools":"SOIC-8 clip, Burp, Caido, GNU Screen" } ] }, From a5c19ba17d7664f67dfe6295c7ec68889ac54470 Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Tue, 2 Sep 2025 21:51:03 +0530 Subject: [PATCH 44/56] added empty caption fields --- methodologies/hardware_testing.json | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 59e958d..55481fc 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -17,6 +17,7 @@ { "key": "open_source_intelligence", "title": "Open Source Intelligence", + "caption": "", "description": "Gathering information using search engines to find publicly available information about the device", "tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components", "vrt_category": "sensitive_data_exposure" @@ -24,12 +25,14 @@ { "key": "network_scanning", "title": "Network Scanning", + "caption": "", "description": "Scan the network for devices to find the one being tested, identify wireless protocols in use", "tools": "NMAP, Wireshark, tcpdump" }, { "key": "rf_scanning", "title": "Radio Frequency Scanning", + "caption": "", "description": "Identify any radio communications, frequencies, modulation the device might be using, identify wireless protocols in use", "tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers", "type": "checklist", @@ -37,18 +40,21 @@ { "key": "bluetooth_ble", "title": "Bluetooth and BLE", + "caption": "", "description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext", "tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)" }, { "key": "zigbee_lora", "title": "ZigBee and LoRa", + "caption": "", "description": "For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.", "tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software, Semtech LoRaWAN sniffer, TTN Packet Forwarder, SDR tools supporting LoRa (HackRF, LimeSDR, BladeRF), Universal Radio Hacker (URH)" }, { "key": "near_field_communication", "title": "NFC Testing", + "caption": "", "description": "For card readers like access control locks and credit cards, can also be used in mobile testing. Try to read the information on the card, is it encrypted, can it be decrypted, can you forge a request, does the reader allow you to write to it so it will accept forged messages", "tools": "flipper (base model is limited, additional hardware can be installed), Proxmark" } @@ -65,6 +71,7 @@ { "key": "opening_device", "title": "Opening up the Device Under Test", + "caption": "", "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG)", "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscilloscope, magnifying glass, logic analyzer", "type": "checklist", @@ -73,18 +80,21 @@ { "key": "visual_component_identification", "title": "Visual Component Identification", + "caption": "", "description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them", "tools": "magnifying glass, Search Engines" }, { "key": "measure_voltage_resistance_continuity", "title": "Measuring Voltage, Resistance, and Continuity", + "caption": "", "description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports", "tools": "multimeter" }, { "key": "id_debug_ports", "title": "ID Debug Ports", + "caption": "", "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", "tools": "multimeter, logic analyzer, oscilloscope, soldering iron" } @@ -102,12 +112,14 @@ { "key": "dump_download_firmware", "title": "Dump or Download Firmware for Analysis", + "caption": "", "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" }, { "key":"firmware_analysis", "title":"Firmware Analysis", + "caption": "", "description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.", "tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf" } @@ -122,18 +134,21 @@ { "key":"replay_attacks", "title":"Replay Attacks", + "caption": "", "description":"Using the sniffed traffic, determine if replay attacks are possible. Check if the device accepts modified requests and if you can make changes to the configuration. Verify if the device uses unencrypted communication.", "tools":"Wireshark, hackRF, python" }, { "key":"shared_resources", "title":"Improper Isolation of Shared Resources", + "caption": "", "description":"A SOC may use pin multiplexing allowing an untrusted agent to access assets/info intended to trusted agents only", "CWE":"CWE-1189" }, { "key":"bac_on_chip_debugger", "title":"Broken Access Control for On-Chip Debugger", + "caption": "", "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.", "CWE": ["CWE-1191", "CWE-1244"], "tools":"jtagulator, SOIC-8 clip" @@ -141,18 +156,21 @@ { "key":"improper_lock_bit_protection", "title":"Improper Lock Bit Protection", + "caption": "", "description":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.", "CWE": ["CWE-1231", "CWE-1233"] }, { "key":"cryptographic_implementation", "title":"Cryptographic Implementation", + "caption": "", "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", "CWE":"CWE-1240" }, { "key": "fault_injection_and_side_channel_attacks", "title": "Fault Injection and Side Channel Attacks", + "caption": "", "description": "Test for fault injection and side channel attacks that can bypass security measures to dump firmware, access sensitive information, perform code execution, skip authentication, or escalate privileges.", "CWE": ["CWE-1256", "CWE-1300"], "tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes" @@ -160,30 +178,35 @@ { "key":"memory_overlap", "title":"Improper Handling of Memory Overlap", + "caption": "", "description":"Assess if isolated memory regions and access control policies allow software with low privileges to make changes to overlapping memory also used by software running with higher privileges.", "CWE":"CWE-1260" }, { "key":"clearing_memory_during_state_transition", "title":"Sensitive Information Uncleared Before State Transition", + "caption": "", "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", "CWE":"CWE-1272" }, { "key":"volatile_memory_boot_code", "title":"Improper Access Control for Volatile Memory for Boot Code", + "caption": "", "description":"Assess if the secure boot process can be bypassed to execute untrusted malicious boot code", "CWE":"CWE-1274" }, { "key":"firmware_not_updating", "title":"Firmware Not Getting Updates", + "caption": "", "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.", "CWE":"CWE-1277" }, { "key":"root_shell", "title":"Root Shell Access", + "caption": "", "description":"Try to gain root shell access on the device using an enabled communication protocol, i.e. telnet or ssh, or using an open debug port to interrupt the boot process.", "tools":"SOIC-8 clip, Burp, Caido, GNU Screen" } @@ -196,7 +219,7 @@ "type": "large_upload" }, { - "key": "executive_summary", + "key": "executive_summary", "title": "Executive summary", "description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.", "type": "executive_summary" From 17b52e0a80b6b29edfc5b57043e102027a25f336 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 21:57:08 +0530 Subject: [PATCH 45/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 55481fc..cd00d1c 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -136,7 +136,7 @@ "title":"Replay Attacks", "caption": "", "description":"Using the sniffed traffic, determine if replay attacks are possible. Check if the device accepts modified requests and if you can make changes to the configuration. Verify if the device uses unencrypted communication.", - "tools":"Wireshark, hackRF, python" + "tools":"Wireshark, HackRF, python" }, { "key":"shared_resources", From 6c1513b6c8b5b8152fbf0de00359c98c42092eea Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 21:57:26 +0530 Subject: [PATCH 46/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index cd00d1c..983906e 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -114,7 +114,7 @@ "title": "Dump or Download Firmware for Analysis", "caption": "", "description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.", - "tools": "desoldering station, jtagulator, minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" + "tools": "desoldering station, JTAGulator, Minicom, PuTTy, Bus Pirate, Raspberry Pi Pico" }, { "key":"firmware_analysis", From 8aa66e92ab9a5fcc300692cc6aa11fd75322acb0 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 21:57:35 +0530 Subject: [PATCH 47/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 983906e..fc50686 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -151,7 +151,7 @@ "caption": "", "description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.", "CWE": ["CWE-1191", "CWE-1244"], - "tools":"jtagulator, SOIC-8 clip" + "tools":"JTAGulator, SOIC-8 clip" }, { "key":"improper_lock_bit_protection", From 69927f8a25bc086c0032110414d6a82e5146138c Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:05:16 +0530 Subject: [PATCH 48/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index fc50686..a5b2f5c 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -12,8 +12,7 @@ "title": "Passive Recon", "description": "Information gathering before turning off or opening the device", "type": "checklist", - "items": - [ + "items": [ { "key": "open_source_intelligence", "title": "Open Source Intelligence", From eea0d1783ade0fbbf07aec22e779add679428136 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:05:24 +0530 Subject: [PATCH 49/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index a5b2f5c..1d054a7 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -106,8 +106,7 @@ "title": "Accessing and Analysing Firmware", "description": "Using info gathered during active and passive recon access and reverse engineer the firmware for the device.", "type": "checklist", - "items": - [ + "items": [ { "key": "dump_download_firmware", "title": "Dump or Download Firmware for Analysis", From 95a1fb843e9466d0439e16a57e5ec080e022f854 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:05:32 +0530 Subject: [PATCH 50/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 1d054a7..3b89073 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -128,7 +128,7 @@ "title":"Testing the Device", "description":"Using all of the information gathered start testing the device for security vulnerabilities.", "type":"checklist", - "items":[ + "items": [ { "key":"replay_attacks", "title":"Replay Attacks", From 2ac333320615946939828d8c5658e92aa128ab15 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:05:43 +0530 Subject: [PATCH 51/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 3b89073..54a78ab 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -184,7 +184,7 @@ "key":"clearing_memory_during_state_transition", "title":"Sensitive Information Uncleared Before State Transition", "caption": "", - "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", + "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", "CWE":"CWE-1272" }, { From 4cf91972a141c5f73f78c16ca0e18e159985ec57 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:05:56 +0530 Subject: [PATCH 52/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 54a78ab..7ae2cd5 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -94,7 +94,7 @@ "key": "id_debug_ports", "title": "ID Debug Ports", "caption": "", - "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", + "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", "tools": "multimeter, logic analyzer, oscilloscope, soldering iron" } ] From d99faee3e3207ce7cac15804d0eef1b8228fd0d1 Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:06:02 +0530 Subject: [PATCH 53/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 7ae2cd5..02c72a5 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -74,8 +74,7 @@ "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG)", "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscilloscope, magnifying glass, logic analyzer", "type": "checklist", - "items": - [ + "items": [ { "key": "visual_component_identification", "title": "Visual Component Identification", From b8082e15231c88c322cb63b5d8de788a8649a75d Mon Sep 17 00:00:00 2001 From: Adarsha K S <148948906+adarshaks91@users.noreply.github.com> Date: Tue, 2 Sep 2025 22:10:56 +0530 Subject: [PATCH 54/56] Update methodologies/hardware_testing.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- methodologies/hardware_testing.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 02c72a5..0d6a124 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -55,7 +55,7 @@ "title": "NFC Testing", "caption": "", "description": "For card readers like access control locks and credit cards, can also be used in mobile testing. Try to read the information on the card, is it encrypted, can it be decrypted, can you forge a request, does the reader allow you to write to it so it will accept forged messages", - "tools": "flipper (base model is limited, additional hardware can be installed), Proxmark" + "tools": "Flipper (base model is limited, additional hardware can be installed), Proxmark" } ] } From 596dca8f7fe863de11a511c108bf866d983eedad Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Tue, 2 Sep 2025 22:23:19 +0530 Subject: [PATCH 55/56] use enumeration for CWEs --- methodologies/hardware_testing.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 0d6a124..41d0d96 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -140,7 +140,7 @@ "title":"Improper Isolation of Shared Resources", "caption": "", "description":"A SOC may use pin multiplexing allowing an untrusted agent to access assets/info intended to trusted agents only", - "CWE":"CWE-1189" + "CWE": ["CWE-1189"] }, { "key":"bac_on_chip_debugger", @@ -162,7 +162,7 @@ "title":"Cryptographic Implementation", "caption": "", "description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.", - "CWE":"CWE-1240" + "CWE": ["CWE-1240"] }, { "key": "fault_injection_and_side_channel_attacks", @@ -177,28 +177,28 @@ "title":"Improper Handling of Memory Overlap", "caption": "", "description":"Assess if isolated memory regions and access control policies allow software with low privileges to make changes to overlapping memory also used by software running with higher privileges.", - "CWE":"CWE-1260" + "CWE": ["CWE-1260"] }, { "key":"clearing_memory_during_state_transition", "title":"Sensitive Information Uncleared Before State Transition", "caption": "", "description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.", - "CWE":"CWE-1272" + "CWE": ["CWE-1272"] }, { "key":"volatile_memory_boot_code", "title":"Improper Access Control for Volatile Memory for Boot Code", "caption": "", "description":"Assess if the secure boot process can be bypassed to execute untrusted malicious boot code", - "CWE":"CWE-1274" + "CWE": ["CWE-1274"] }, { "key":"firmware_not_updating", "title":"Firmware Not Getting Updates", "caption": "", "description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.", - "CWE":"CWE-1277" + "CWE": ["CWE-1277"] }, { "key":"root_shell", From 79e7e5734b7da591e30858d553460fac2b538e1d Mon Sep 17 00:00:00 2001 From: Adarsha K S Date: Tue, 9 Sep 2025 10:22:47 +0530 Subject: [PATCH 56/56] Removed nested structure for checklist --- methodologies/hardware_testing.json | 50 ++++++++++++----------------- 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/methodologies/hardware_testing.json b/methodologies/hardware_testing.json index 41d0d96..af13dc4 100644 --- a/methodologies/hardware_testing.json +++ b/methodologies/hardware_testing.json @@ -63,40 +63,30 @@ }, { "key": "active_recon", - "title": "Active Recon", - "description": "Opening up, sniffing, and probing the device under test (DUT)", + "title": "Active Recon - Opening up the Device Under Test", + "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG). Use tools like screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, multimeter, XRAY, probes, oscilloscope, magnifying glass, and logic analyzer.", "type": "checklist", "items": [ { - "key": "opening_device", - "title": "Opening up the Device Under Test", + "key": "visual_component_identification", + "title": "Visual Component Identification", "caption": "", - "description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG)", - "tools": "screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, Multimeter, XRAY, probes, oscilloscope, magnifying glass, logic analyzer", - "type": "checklist", - "items": [ - { - "key": "visual_component_identification", - "title": "Visual Component Identification", - "caption": "", - "description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them", - "tools": "magnifying glass, Search Engines" - }, - { - "key": "measure_voltage_resistance_continuity", - "title": "Measuring Voltage, Resistance, and Continuity", - "caption": "", - "description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports", - "tools": "multimeter" - }, - { - "key": "id_debug_ports", - "title": "ID Debug Ports", - "caption": "", - "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", - "tools": "multimeter, logic analyzer, oscilloscope, soldering iron" - } - ] + "description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them", + "tools": "magnifying glass, Search Engines" + }, + { + "key": "measure_voltage_resistance_continuity", + "title": "Measuring Voltage, Resistance, and Continuity", + "caption": "", + "description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports", + "tools": "multimeter" + }, + { + "key": "id_debug_ports", + "title": "ID Debug Ports", + "caption": "", + "description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them", + "tools": "multimeter, logic analyzer, oscilloscope, soldering iron" } ] },